Obscured Files in an Upper Filesystem Layer

A computer system can execute various processes that can access data stored in a storage system. A filesystem can be implemented to manage the organization and access of the data in the storage system. The filesystem organizes the data as files in various directories.

Throughout the drawings, identical reference numbers designate similar, but not necessarily identical, elements. The figures are not necessarily to scale, and the size of some parts may be exaggerated to more clearly illustrate the example shown. Moreover, the drawings provide examples and/or implementations consistent with the description; however, the description is not limited to the examples and/or implementations provided in the drawings.

Data of a storage system accessible by processes in a computer system may include sensitive data, such as personally identifiable information (PII) data, proprietary data of an enterprise, or other types of data that is to be protected against access by unauthorized entities (humans, programs, or machines). PII data includes data that may potentially identify a property associated with a person, a program, or a machine. Examples of PII data can include any or some combination of the following: data that indicates properties of an operating system (OS); data relating to a configuration of a machine; a network routing information for a computer system, such as a network address (e.g., an Internet Protocol (IP) address or a Media Access Control (MAC) address), port information (e.g., Transmission Control Protocol (TCP) port information or User Datagram Protocol (UDP) port information); user settings; credentials (e.g., passwords, certificates, etc.); geolocation information; and so forth. Proprietary data of an enterprise can include financial data, product development data, payroll data, and so forth.

Various techniques to protect access to sensitive data may be inadequate or may be complex. Some techniques may define, for each process, the types of system calls that the process may invoke (while other system calls to access data are blocked) to protect against access of sensitive data. Such techniques involve manual configuration by a human administrator, which is time consuming and labor intensive. Further techniques can define configuration policies for respective processes, where a configuration policy can filter which system calls by processes are allowed. Setting up configuration policies to protect sensitive data may be complex. Other techniques can use namespaces associated with processes to control access to sensitive data. However, use of namespaces may protect against access to some sensitive data but not to other sensitive data. Additional techniques to protect against access to sensitive data may involve context switching between a user space and a kernel space, which is processing and memory intensive.

In accordance with some implementations of the present disclosure, a data protection mechanism uses a layered filesystem to protect sensitive data against unauthorized or unintended access. The layered filesystem includes a base filesystem layer that stores data files (or more simply “files”), some of which contain sensitive data. The layered filesystem further includes an upper filesystem layer that overlays the base filesystem layer. As part of provisioning a computer system, the data protection mechanism creates an upper filesystem layer for a collection of files. The data protection mechanism obscures the files of the collection so that at least portions of the files are inaccessible. Obscuring a file can refer to anonymizing the file or pseudonymizing the file, or otherwise rendering at least a portion of the file indecipherable. When a process later issues an access request for any file in the collection, the access request is handled at the upper filesystem layer. The upper filesystem layer returns the obscured file that is the target of the access request to the process. The process can be a process executed at a virtual compute entity, such as a container or a virtual machine. The process may alternatively be a user space process not executed in a virtual computing environment.

In accordance with some examples of the present disclosure, computer functionality is improved by protecting sensitive data from unauthorized access, to prevent damage to the computer system or an enterprise operating the computer system. Protection is also provided against access and use of sensitive data that may be leveraged by malware to cause a disruption of the computer system. The protection of sensitive data can be achieved using a data protection mechanism that effectively provides a firewall against unauthorized access and that is not complex to implement since creation of upper filesystem layers of layered filesystems is relatively straightforward.

Anonymizing sensitive data in a file can include removing the sensitive data or otherwise rendering the sensitive data unrecoverable. Pseudonymizing sensitive data in a file can refer to replacing the sensitive data with a pseudonym (data with no real meaning) in the file.

A base filesystem layer refers to a filesystem associated with an operating system (OS), such as a Linux OS or another type of OS. A filesystem is used to organize data in files stored in a hierarchy of directories.

An upper filesystem layer refers to a separate filesystem layer that overlays the base filesystem layer. The upper filesystem layer presents a subset of files and directories that are present in the base filesystem layer. The upper filesystem layer can also be referred to as an overlay filesystem layer. In an example, the upper filesystem layer can present a directory tree (including a hierarchical arrangement of directories and files in the directories) that is also present in the base filesystem layer. The directory tree in the upper filesystem layer is a subset of the directory structure present in the base filesystem layer.

The combination of the base filesystem layer and an upper filesystem layer (that overlays the base filesystem layer) forms a layered filesystem, such as the Linux layered filesystem. Other types of layered filesystems may be a Unionfs filesystem, an advanced multi-layered unification filesystem (AUFS), or any other type of layered filesystem.

1 FIG. 1 FIG. 100 102 104 106 102 100 100 is a block diagram of a computer systemthat includes a layered filesystemand processes,that are able to access files of the layered filesystem. The computer systemcan be implemented using one or more computers. Although two processes are shown in, in other examples, the computer systemcan include just one process or more than two processes. A process can be a user space process or a process executed at a virtual compute entity such as the VM or container.

102 108 110 110 108 102 1 FIG. The layered filesystemincludes a base filesystem layerand an upper filesystem layer. Although just one upper filesystem layeris shown in, in other examples, multiple upper filesystem layers may overlay the base filesystem layerin the layered filesystem.

100 112 114 116 112 108 112 108 1 1 FIG. The computer systemincludes a data protection enginethat has an upper filesystem layer creation moduleand an obscuring module. The data protection engineis used to protect certain data in files of the base filesystem layeragainst access by unauthorized processes, such as processes of malware or other entities not authorized to access the data. In some examples, the data protected by the data protection engineincludes sensitive data. The base filesystem layerstores files 1 to N (N≥), where at least some of the files contain sensitive data. In, file 1 contains sensitive data and file N contains sensitive data. File 2 does not contain sensitive data.

112 100 112 118 100 112 112 118 The data protection enginecan be implemented in the user space of the computer system. Alternatively, the data protection enginecan be implemented in a kernel space of the OSof the computer system. In further examples, a portion of the data protection enginecan be implemented in the user space, while another portion of the data protection enginecan be implemented in the kernel space. The kernel space is a portion of a memory address space reserved for running privileged portions (e.g., the kernel) of the OS, while the user space is another portion of the memory address space where other programs, such as application programs, can execute.

100 114 122 110 108 110 110 120 118 110 120 110 110 120 108 During provisioning of the computer system, the upper filesystem layer creation modulecreates (at) the upper filesystem layerto overlay the base filesystem layer. Creating the upper filesystem layerincludes mounting the upper filesystem layerso that an overlay filesystem driverof the OSfirst checks if a requested file is in the upper filesystem layer, and if so, the overlay filesystem driverreturns the requested file from the upper filesystem layer. If the requested file is not in the upper filesystem layer, the overlay filesystem driveraccesses the requested file in the base filesystem layer.

120 118 102 102 The overlay filesystem driveris an entity in the OSthat is responsible for managing the access of the layered filesystem, and more specifically, for managing the access of files in a hierarchy of directories in the layered filesystem.

118 Provisioning a computer system can refer to initially setting up the computer system, which includes installing firmware and the OS. In further examples, provisioning the computer system can additionally refer to changing a configuration of the computer system after the initial setup, such as to perform maintenance or repair.

112 124 108 116 112 The data protection engineretrieves (at) each file of the base filesystem layerthat is to be protected. In some examples, a file is to be protected if the file contains sensitive data, such as files 1 and N. The obscuring modulein the data protection engineobscures each file that is to be protected. Obscuring a file can refer to obscuring the entire content of the file, or obscuring a portion (less than the entire content) of the file. Obscuring the file involves rendering at least a portion of the file indecipherable, such as by anonymizing or pseudonymizing at least the portion of the file. Anonymizing sensitive data in a file can include removing the sensitive data. In some cases, the entire content of the file may be removed so that the anonymized file includes empty content. In other cases, just certain parts of the file are anonymized by removing the content (with sensitive data) in the parts, while other parts of the file (without sensitive data) are not anonymized. Pseudonymizing sensitive data in a file can refer to replacing the sensitive data with a pseudonym (data with no real meaning) in the file. A process that is provided with the anonymized file or pseudonymized file would not be able to recover the sensitive data that has been removed or replaced. Other techniques of obscuring a file can include encrypting the file, or replacing the file with a shell file that does not contain any meaningful content. Encrypting a file can refer to encrypting a portion (less than the entirety) or the entirety of the file.

1 FIG. 112 126 110 110 110 In the example of, the files obscured are files 1 and N. The data protection engineadds (at) obscured files 1 and N to the upper filesystem layer. Adding an obscured file to the upper filesystem layeris achieved by writing the obscured file to the upper filesystem layer.

110 108 110 108 110 108 110 108 108 100 104 106 Obscured file 1 in the upper filesystem layerand file 1 in the base filesystem layershare the same file identifier, such as a pathname that includes the filename of file 1 and the directory or directories that file 1 is (are) part of. Similarly, obscured file N in the upper filesystem layerand file N in the base filesystem layershare the same identifier. A file (or a directory) with the same file identifier that appears in both the upper filesystem layerand the base filesystem layeris retrieved from the upper filesystem layerand not from the base filesystem layer. Effectively, the file with the same identifier in the base filesystem layeris hidden from processes in the computer system, including the processes,.

110 110 120 110 120 108 By adding the obscured files 1 and N to the upper filesystem layer, any file access targeting a given file identifier that is present in the upper filesystem layerwill cause the identified obscured file to be retrieved by the overlay filesystem driverfrom the upper filesystem layer. The overlay filesystem driverwould not access the non-obscured file identified by the given file identifier from the base filesystem layer, so that the non-obscured file (which may contain sensitive data) is not exposed. When a process receives an obscured file, the process would be unable to recover the content that was obscured.

104 106 100 102 102 118 100 102 102 110 102 102 120 118 110 110 102 102 110 102 120 108 In some examples, when certain processes (e.g.,and) are started in the computer system, each such process is configured with access to the layered filesystem. A process configured with access to the layered filesystemis one without privileges to access sensitive data. For example, an OSin the computer systemcan provide, to the process, information of the layered filesystemso that the process can issue access requests to the layered filesystem. Due to the presence of the upper filesystem layerin the layered filesystem, any access request from the process to access a file (identified by a file identifier) in the layered filesystemis handled by the overlay filesystem driverin the OSby first checking if the file is present in the upper filesystem layer. If so, the access request is satisfied by returning the file from the upper filesystem layer, i.e., the base filesystem layeris not accessed so that effectively the file with the same file identifier in the base filesystem layeris effectively hidden from the requesting process if the requested file is present in the upper filesystem layer. However, if the requested file is not present in the upper filesystem layer, then the overlay filesystem driveraccesses the requested file from the base filesystem layer.

108 118 108 110 Other processes with elevated privileges to access sensitive data (e.g., processes associated with programs used by users in selected departments of an enterprise) may be configured to access files directly from the base filesystem layer. Another filesystem driver (not shown) in the OScan handle requests from processes with the elevated privileges to access files (which may contain sensitive data) from the base filesystem layer(effectively bypassing the upper filesystem layerthat contains obscured files).

108 120 120 In examples where multiple upper filesystem layers are created to overlay the base filesystem layer, the multiple upper filesystem layers may be associated with respective collections of processes. Access requests from a first collection of processes can be directed by the overlay filesystem driverto a first upper filesystem layer (which includes a first collection of obscured files), access requests from a second collection of processes can be directed by the overlay filesystem driverto a second upper filesystem layer (which includes a first collection of obscured files), and so forth. As used here, a “collection” of items can refer to a single item or multiple items. Thus, a collection of processes can refer to a single process or multiple processes, and a collection of files can refer to a single file or multiple files.

104 106 128 128 104 106 118 The processes,can issue file access requests to an interface. The interfacecan include any of the following types of interfaces: a system call interface, a /proc interface, and a /sys interface. The system call interface includes a set of functions that can be invoked by processes using system calls. The system call interface is an interface between user space processes (e.g.,and) and the OS. A system call can be sent by a process to read or write files. For example, system calls can be issued to obtain a process identifier of a process, a host name, system information, or any other sensitive data.

118 104 106 104 106 128 118 A /proc interface is used by a kernel of the OSto communicate information between the user space (including the processes,) and the OS kernel. The /sys interface is another type of interface from the user space to the OS kernel. The processes,can issue read or write requests through the /proc interface or /sys interface. In other examples, the interfacecan be implemented using another type of interface to allow a process to access files in a filesystem provided by the OS.

104 106 102 120 104 106 128 110 120 110 120 108 118 108 Assuming that the processes,are configured with access to the layered filesystem, the overlay filesystem driverresponds to an access request from either processorreceived through the interfaceby first determining if the requested file is in the upper filesystem layer, and if so, the requested file (an obscured file) is returned by the overlay filesystem driverto the requesting process. If the requested file is not in the upper filesystem layer, the overlay filesystem driverretrieves the file from the base filesystem layer. Another process (not shown) with elevated privileges may be configured by the OSto access the base filesystem layerdirectly, so that the other process may be able to obtain non-obscured files.

2 FIG. 100 112 114 112 202 110 108 is a flow diagram of a flow for protecting files. During provisioning of the computer system, the data protection engineis invoked, such as by a user, a program, or a machine. The upper filesystem layer creation moduleof the data protection enginecreates (at) the upper filesystem layerthat overlays the base filesystem layer.

112 204 108 112 The data protection engineidentifies (at) files in the base filesystem layerthat are to be protected. This identification can be based on configuration information provided to the data protection engine, where the configuration information lists files that are to be protected, such as files containing sensitive data.

112 206 108 128 110 120 108 112 The data protection engineretrieves (at) the identified files from the base filesystem layer. The retrieval of the identified files can be accomplished by issuing read requests, such as via the interface. Since the identified files are not yet in the upper filesystem layer, the overlay filesystem driverobtains the identified files from the base filesystem layer, and returns the identified files to the data protection engine.

116 112 208 108 112 210 110 The obscuring modulein the data protection engineobscures (at) the identified files retrieved from the base filesystem layer. The data protection enginewrites (at) the obscured files to the upper filesystem layer. For example, the obscured files include obscured files 1 and N.

104 106 128 120 212 120 214 110 110 214 110 120 216 110 218 Subsequently, a process (e.g.,or) issues a file access request (read request or write request) to access a requested file. The file access request is issued to the interface. The overlay filesystem driverreceives (at), from the process, the file access request, which includes an identifier of the requested file. The overlay filesystem driverdetermines (at) whether the identifier of the requested file is present in the upper filesystem layer. For example, an identifier of file 1 or N is present in the upper filesystem layer. In response to determining (at) that the identifier of the requested file is present in the upper filesystem layer, the overlay filesystem driverobtains (at) the obscured file (e.g., obscured file 1 or N) from the upper filesystem layer, and sends (at) the obscured file to the process.

120 214 110 120 220 2 108 222 However, if the overlay filesystem driverdetermines (at) that the identifier of the requested file (e.g., file 2) is not present in the upper filesystem layer, the overlay filesystem driverobtains (at) the requested file (e.g., file) from the base filesystem layer, and sends (at) the requested file to the process.

3 FIG. 300 is a block diagram of a non-transitory machine-readable or computer-readable storage mediumstoring machine-readable instructions that upon execution cause a computer system to perform various tasks.

302 The machine-readable instructions include base filesystem layer file storage instructionsto store, by a base filesystem layer, a file. The file can include sensitive data to be protected against unauthorized access.

304 The machine-readable instructions include upper filesystem layer creation instructionsto create an upper filesystem layer that overlays the base filesystem layer. The upper filesystem layer is to be used for storing files to be protected against unauthorized access.

306 The machine-readable instructions include file obscuring instructionsto obscure the file to render at least a portion of the file inaccessible. The obscuring can include anonymizing or pseudonymizing at least the portion of the file, for example. Other ways of obscuring can include encrypting the file or replacing the file with a shell file. In examples where less than an entirety of the file is obscured, a first portion of the file can be obscured, while a second portion of the file remains unobscured.

308 304 306 308 The machine-readable instructions include obscured file addition instructionsto add the obscured file to the upper filesystem layer. The upper filesystem layer creation instructions, the file obscuring instructions, and the obscured file addition instructionscan be performed as part of provisioning the computer system.

310 120 1 FIG. The machine-readable instructions include access request response instructionsto, responsive to an access request from a process targeting the file, return, from the upper filesystem layer, the obscured file to the process. In some examples, an overlay filesystem driver (e.g.,in) of an OS can determine, in response to the access request, whether the targeted file is in the upper filesystem layer. If so, the targeted file is retrieved from the upper filesystem layer. If not, the targeted file is retrieved from the base filesystem layer.

In some examples, the file in the base filesystem layer is inaccessible to (hidden from) the process if the file is present in the upper filesystem layer.

In some examples, the file is part of a plurality of files stored by the base filesystem layer. The machine-readable instructions can obscure the plurality of files and add the obscured plurality of files to the upper filesystem layer. The obscured plurality of files is accessible to the process.

In some examples, the access request comprises a system call from the process.

In some examples, the access request is received through a /proc interface or a /sys interface.

In some examples, the base filesystem layer and the upper filesystem layer form a layered filesystem, and an identifier of the file is present in both the base filesystem layer and the upper filesystem layer.

In some examples, when starting the process in the computer system, the machine-readable instructions can configure the process to use the layered filesystem. The process is provided with information of the layered filesystem so that the process can issue access requests to the layered filesystem.

In some examples, the process is a user space process or is executed at a virtual compute entity (e.g., a container or a VM) in the computer system.

4 FIG. 1 FIG. 400 400 100 is a block diagram of a computer systemaccording to some examples. The computer systemis an example of the computer systemof.

400 402 The computer systemincludes a hardware processor(or multiple hardware processors). A hardware processor can include a microprocessor, a core of a multi-core microprocessor, a microcontroller, a programmable integrated circuit, a programmable gate array, or another hardware processing circuit.

400 404 402 The computer systemincludes a storage mediumstoring machine-readable instructions executable on the hardware processorto perform various tasks. Machine-readable instructions executable on a hardware processor can refer to the instructions executable on a single hardware processor or the instructions executable on multiple hardware processors.

404 406 The machine-readable instructions in the storage mediuminclude protected file identification instructionsto identify a file, in a base filesystem layer, to be protected from unauthorized access. Such a file may be a file containing sensitive data.

404 408 128 1 FIG. The machine-readable instructions in the storage mediuminclude file retrieval instructionsto retrieve the file from the base filesystem layer. The retrieval request can be issued to the interfaceof, for example.

404 410 The machine-readable instructions in the storage mediuminclude file obscuring instructionsto obscure the file and add the obscured file to an upper filesystem layer that overlays the base filesystem layer. The obscured file added to the upper filesystem layer has the same identifier (e.g., pathname) as the original file in the base filesystem layer.

404 412 128 1 FIG. The machine-readable instructions in the storage mediuminclude file access request receipt instructionsto receive, from a process, a request to access a first requested file identified by a first file identifier. The request may be submitted to the interfaceof, for example.

404 414 The machine-readable instructions in the storage mediuminclude file identifier presence determination instructionsto determine whether the first file identifier is present in the upper filesystem layer. A protected file will have a file identifier present in both the upper filesystem layer and the base filesystem layer.

404 416 The machine-readable instructions in the storage mediuminclude obscured file return instructionsto, based on determining that the first file identifier is present in the upper filesystem layer, return an obscured version of the first requested file from the upper filesystem layer to the process.

5 FIG. 1 FIG. 100 is a flow diagram of a flow according to some examples of the present disclosure. The flow may be performed in the computer systemof, for example.

114 502 114 112 During provisioning of a computer system, the upper filesystem layer creation modulecreates (at) an upper filesystem layer that overlays a base filesystem layer to form a layered filesystem. The upper filesystem layer creation modulemay be part of the data protection engineinvoked during the provisioning.

112 504 The data protection engineidentifies (at) files to be protected against unauthorized access. The files may be identified in configuration information listing which files are to be protected.

116 112 506 112 508 The obscuring moduleof the data protection engineobscures (at) the files to produce obscured files. Obscuring the files can include anonymizing or pseudonymizing the files, for example. The data protection engineadds (at) the obscured files to the upper filesystem layer.

120 510 120 512 Based on receipt of a file access request to access a requested file, the overlay filesystem driverdetermines (at) whether an identifier of the requested file is present in the upper filesystem layer. Based on a determination that the identifier of the requested file is present in the upper filesystem layer, the overlay filesystem driversends (at) an obscured version of the requested file from the upper filesystem layer to a process that submitted the file access request.

112 1 FIG. As used here, an “engine” (e.g., the data protection engineof) can refer to one or more hardware processing circuits, which can include any or some combination of a microprocessor, a core of a multi-core microprocessor, a microcontroller, a programmable integrated circuit, a programmable gate array, or another hardware processing circuit. Alternatively, an “engine” can refer to a combination of one or more hardware processing circuits and machine-readable instructions (software and/or firmware) executable on the one or more hardware processing circuits.

114 116 A “module” (e.g., the upper filesystem layer creation moduleand the obscuring module) in an engine can be implemented with a portion of the hardware processing circuitry of the engine, or with machine-readable instructions executable by the engine.

300 3 404 FIG.or 4 FIG. A storage medium (e.g.,inin) can include any or some combination of the following: a semiconductor memory device such as a dynamic or static random access memory (a DRAM or SRAM), an erasable and programmable read-only memory (EPROM), an electrically erasable and programmable read-only memory (EEPROM), or a flash memory; a magnetic disk such as a fixed, floppy and removable disk; another magnetic medium including tape; an optical medium such as a compact disk (CD) or a digital video disk (DVD); or another type of storage device. Note that the instructions discussed above can be provided on one computer-readable or machine-readable storage medium, or alternatively, can be provided on multiple computer-readable or machine-readable storage media distributed in a large system having possibly plural nodes. Such computer-readable or machine-readable storage medium or media is (are) considered to be part of an article (or article of manufacture). An article or article of manufacture can refer to any manufactured single component or multiple components. The storage medium or media can be located either in the machine running the machine-readable instructions, or located at a remote site from which machine-readable instructions can be downloaded over a network for execution.

In the present disclosure, use of the term “a,” “an,” or “the” is intended to include the plural forms as well, unless the context clearly indicates otherwise. Also, the term “includes,” “including,” “comprises,” “comprising,” “have,” or “having” when used in this disclosure specifies the presence of the stated elements, but do not preclude the presence or addition of other elements.

In the foregoing description, numerous details are set forth to provide an understanding of the subject disclosed herein. However, implementations may be practiced without some of these details. Other implementations may include modifications and variations from the details discussed above. It is intended that the appended claims cover such modifications and variations.